[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd ACL - limit bind to employeeType=<various>
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: Re: slapd ACL - limit bind to employeeType=<various>
- From: Tim Watts <tim.j.watts@kcl.ac.uk>
- Date: Tue, 12 Apr 2016 10:37:30 +0100
- Authentication-results: openldap.org; dkim=none (message not signed) header.d=none;openldap.org; dmarc=none action=none header.from=kcl.ac.uk;
- In-reply-to: <f9a748d036b34a9290d70b247049f210@AM4PR03MB1682.eurprd03.prod.outlook.com>
- References: <570ACD82.5070000@kcl.ac.uk> <f9a748d036b34a9290d70b247049f210@AM4PR03MB1682.eurprd03.prod.outlook.com>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:23
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
Sir, you are a genius :)
On 11/04/16 07:31, Michael Ströder wrote:
# some entries matching filter
access to
attrs=userPassword
filter=(!(employeeType=Archive)(employeeType=Delete))
by ..some who clauses for setting password
by * auth
# all other entries
access to
attrs=userPassword
by * none
Very slight tweak to the syntax (with huge thanks - I would not have
guessed this was the required technique - I was concentrating on finding
an "auth" ACL when I was googling.)
This is the full ACL list for context, should anyone find this useful.
The nice thing is that I can add new employeeTypes (eg "BA" for
undergrads) without breaking the core logic.
Also, this should be fundamentally more secure as we can now disable
accounts in one place.
In case anyone is wondering the difference between "Archive" and
"Delete", they are as follows:
"Archive" - keep the user in the libnss lists (eg getent passwd still
returns them, so that file UIDs resolve). User cannot log in.
"Delete" - they vanish from libnss and other places, but we still hold
their LDAP record for easy resurrection (this happens a lot - we have a
class of nomadic users - they work on a project, go away, then come back
on another project 2 years later).
===========================================
access to attrs=userPassword
filter=(&(!(employeeType=Archive))(!(employeeType=Delete)))
by peername.path="/var/run/slapd/ldapi" manage
by set="user/uid &
[cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk
]/memberUid" manage
by self write
by * auth
access to attrs=userPassword
by * none
# Certain attributes that should not be publicly readable
access to
attrs=bindTimestamp,modifyTimestamp,modifiersName,creatorsName,creat
eTimestamp
by peername.path="/var/run/slapd/ldapi" manage
by set="user/uid &
[cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk
]/memberUid" manage
by self read
by * none
# The admin dn has full write access, everyone else
# can read everything. Local unix domain socket (root only)
# Can do everything
access to *
by peername.path="/var/run/slapd/ldapi" manage
by set="user/uid &
[cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk
]/memberUid" manage
by * read
===========================================
I'll do some more testing and have a look at that "set=" inefficiency too.
Thanks very much for your help :)
Tim
--
Tim Watts Tel (VOIP): +44 (0)1580 848360
Systems Manager Kings Digital Lab (KDL), King's College London
Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/